Clone Data to 2 Different Groups of Indexers in Splunk
How to configure a Splunk Forwarder ( UF and HF ) to send all data from defined inputs to two group of Indexers, while the data will be cloned to both groups and load balanced across all available indexers within each group.
# You need to go the configuration files directory which is as follows :
# cd /opt/splunk/etc/system/local/
Step 1:
# cat outputs.conf
#Define the server group which should be used as default for TCP forwarding.
[tcpout]
autoLB = true
defaultGroup = XYZ_Indexer
#Define the target servers where the Forwarder should send the data to
[tcpout : XYZ_Indexer]
server= splunk01.abc:9997 , splunk02.abc:9997
#Optional : activate acknowledgement between Forwarder and Indexers
useACK = true
#Define the target servers where the Forwarder should send the data to
[tcpout : MNO_Indexer]
server= splunk111.mno:9997 , splunk222.mno:9997
#Optional : activate acknowledgement between Forwarder and Indexers
useACK = true
Step 2:
#cat inputs.conf
#Define the directory which should be monitored , and set values for source , sourcetype and target index.
[monitor:///var/logs/mylog.log]
source = Mysource
sourcetype = Mysourcetype
index = Myindex
_TCP_ROUTING = XYZ_Indexer, MNO_Indexer
NOTE: Since we have set 2 target groups in the _TCP_ROUTING line , the data from this ip will be cloned(copied) to both targets. That means , both indexers groups will have the same set of data, and we will have to pay the license 2 times as well.
Hope this has helped you in achieving the below requirement without fail :
Clone Data to 2 Different Groups of Indexers in Splunk
Happy Splunking !!
